Wednesday, January 31, 2018

Australia's New Mandatory Data Breach Notification Law

On February 22, the mandatory data breach notification law comes into effect in Australia. It applies to private entities subject to the Australian Privacy Act including entities with an annual turnover of more than $3 million, businesses that provide a health service, disclose personal information as well as federal government agencies and those that contract with them.

Company that suspects it may have suffered a data breach capable of causing "serious harm" to any relevant data subjects will have 30 days to investigate and conclude whether in fact an eligible data breach occurred. The law does not define "serious harm" but we can assume it involves a degree of significant emotional, physical, reputational or financial damage.

The new law requires the notification statement to be prepared as soon as practicable and delivered to the Privacy Commissioner, as well as the individuals to whom the relevant information relates or who are at risk from the breach. If individual notification is not practicable, the statement must be posted on the organisation's website and its content must be publicised. Agencies and organisations can lodge their statement about an eligible data breach to the Commissioner via the Notifiable Data Breach statement — Form. Here is a flowchart that lists the steps to take following a potential data breach.

US already has a data breach notification law on books. The GDPR will implement it across the EU in May 2018.